Working Around, Over, and Through the Process

I really don't see the WTF with having your user name match your password.

Sincerely,
*****

Shiva2010-10-12 09:15

Ha! You've been caught and heads will roll!

I have changed my password to something you will never guess!

frits2010-10-12 09:16

Shiva:

Ha! You've been caught and heads will roll!

I have changed my ******** to something you will never guess!

FTFY

java.lang.Chris;2010-10-12 09:24

I worked at a bank where IT support had been out sourced to a firm in India. The machines they administered were still in Europe, but locked down so tight that it required a phone call to India to get anything vaguely sysadmin'ish done.

One day I came into work, sat down and tried to log in, only to find my password had expired. I asked around, and discovered that to reset it would require an email to IT support, a minimum support charge of 50GBP, and a two day turnaround. In other words, I could do no work for two days.

Thankfully, one of the support staff had forgotten to log out from a machine they had been using while carrying out some on site work. A colleague had the presence of mind to leave the machine be so that on occasions when things like passwords expired, it could be accomplished without needing IT support.

(Cut to twelve months later, and the bank no longer existed, absorbed into another bank during the credit crunch).

Anon2010-10-12 09:32

That's amazing. I've got the same combination on my luggage.

STarLite2010-10-12 09:55

Anon:

That's amazing. I've got the same combination on my luggage.

1...
2...
3...
4...
....
5...

The Enterpriser2010-10-12 10:02

1. Shiva is a strange name for a German.

2. TRWTF is risking your job by logging into production as someone else without their knowledge. Any workplace strict enough to allow such tight controls would absolutely be strict enough to fire someone for doing this.

3. TRRWTF is telling someone that you have just hacked someones production account. (yes, even if they had an easy to guess password).

4. TRRRWTF is that no-one has mentioned hunter2 yet.

My Name Is Missing2010-10-12 10:03

I worked at a Healthcare company where everyone knew the username and password for all the production servers and databases, and there was no audit system either. Security by stupidity.

Tynam2010-10-12 10:14

The Enterpriser:

Any workplace strict enough to allow such tight controls would absolutely be strict enough to fire someone for doing this.

Oh, if only _that_ were true. In many places I've worked, the security standard is "Guard the front door with tanks and artillery, then leave the window open and ignore all references to it so your staff don't waste time with all those door checkpoints. If anyone points out the open window, complain that they're nitpicking and not a team player."

Mike2010-10-12 10:17

“To keep Shiva from catching on,” the more senior developer explained, “we would play Shiva’s game once every other promotion.”

What did this mean? I can't understand it.

boog2010-10-12 10:37

feugiat:

Bill:

What's the process for proof-reading Daily WTF articles?

What's the protocol for "shutting the fsck up"?

I think you can just press CTRL + C to interrupt fsck, but why would you want to?

Anon2010-10-12 10:37

Mike:

“To keep Shiva from catching on,” the more senior developer explained, “we would play Shiva’s game once every other promotion.”

What did this mean? I can't understand it.

Once every other promotion (of code from dev to production), they let Shiva do his signing off thing in order to let him think the process is always followed and he's doing something useful. The rest of the time they just log in as him and do it themselves.

Zylon2010-10-12 10:41

See, this is why you don't hire Hindu gods as admins.

ih8u2010-10-12 10:52

Even though I'm an editor, I've learned to ignore the typos and grammatical pratfalls on this site. But this article sticks out like a sore thumb. It's not only poorly edited, it's extremely poorly written.

(Goes off to burn incense at Muphry's altar ... )

Even though I'm an editor, I've learned to start sentences with "But". *sigh*

I too have an eye for the grammatical. It was the only part of English class I could stand. I can, however, just RTFAs without screaming out in pain for a duplicated word or botched punctuation.

The writing could be better for sure, but I think complaining should be left for lines that literally make no sense.

boog2010-10-12 10:54

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper? Maybe it's lonely in Shiva-land and he just wants people to visit him?

I can certainly appreciate Shiva's wanting to keep source control clean, but it seems there's something missing. Actually, this kind of anal-retentiveness indicates Shiva's total lack of understanding of how version control is supposed to work.

TFA:

...was he so narcissistic so as to type his name in over and over? ...or perhaps it was a hint.

Couldn't it be a little of both?

ShivaDestroyerOfWorlds2010-10-12 10:58

Not German, but perhaps reference to the god:

http://en.wikipedia.org/wiki/Shiva

d.k. Allen2010-10-12 10:58

frits:

Shiva:

Ha! You've been caught and heads will roll!

I have changed my *BUTT**** to something you will never guess!

FTFY

FTFTFY

Bitter Like Quinine2010-10-12 11:04

Even though I'm an editor, I've learned to ignore the typos and grammatical pratfalls on this site. But this article sticks out like a sore thumb...

Even though I'm an editor, I've learned to start sentences with "But".

And?

iToad2010-10-12 11:14

Shiva:

Ha! You've been caught and heads will roll!

I have changed my password to something you will never guess!

It's probably avihS.

Rich2010-10-12 11:52

I was in a startup where i started as both lead developer and Windows/Linux/FreeBSD sysadmin. Eventually they needed to hire a sysadmin to free me up 100% for dev duties. The sysadmin hated passwords. He set up NIS for our small-ish network. I checked it with ypcat, and he had set up a root-equiv/UID 0 account with no password at all. After i bitched to my boss/CEO (startup remember?) boss came back with something like "It's secure because no one will ever think we'd do something like that"

Somehow the "no one will think we're that incredibly stupid" defense didn't work for me. That and hoping no hacker has the elite tools known as ypcat.

CAPTCHA: transverbero
too f'ing long.

Maboule2010-10-12 12:11

I worked for a large company and the home directory rights were 775 and everyone was in the same group. When I mentioned that this was a security issue, I was told that an application required things to be that way and that there was a company policy against hacking so it wasn't a real security issue. I changed the rights on my home directory; the application kept on working fine.

Ami Rite2010-10-12 12:13

s/Townbank/Citibank/g
s/Shiva/Ravi/g

Central Processing2010-10-12 12:15

Clearly what was needed here was a process to control the creation of all new processes, so that something as ridiculous and workstopping as this would never be allowed to exist!

nasch2010-10-12 12:17

boog:

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper?

I assumed the devs didn't have accounts with the rights to commit.

Me2010-10-12 12:18

If you had a shred of writesmanship, you would capitalize process throughout this article.

dubbreak2010-10-12 12:22

iToad:

Shiva:

Ha! You've been caught and heads will roll!

I have changed my password to something you will never guess!

It's probably avihS.

or toormai?

I've seen that one used a few times.

boog2010-10-12 12:32

nasch:

boog:

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper?

I assumed the devs didn't have accounts with the rights to commit.

I assumed the same, but I wasn't talking about version control in the quote above; I was talking about the clipboard prerequisite for sign-on in the environment.

by2010-10-12 12:40

boog:

nasch:

boog:

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper?

I assumed the devs didn't have accounts with the rights to commit.

I assumed the same, but I wasn't talking about version control in the quote above; I was talking about the clipboard prerequisite for sign-on in the environment.

This is extremely simple, particularly on an embedded system with no file system. All you have to do is alter the password verification routine to return TRUE, FALSE, or SHIVA_NOT_FOUND.

@Deprecated2010-10-12 12:51

Bitter Like Quinine:

Even though I'm an editor, I've learned to ignore the typos and grammatical pratfalls on this site. But this article sticks out like a sore thumb...

Even though I'm an editor, I've learned to start sentences with "But".

And?

No, never start your sentences with 'And'.

boog2010-10-12 13:05

@Deprecated:

Bitter Like Quinine:

And?

No, never start your sentences with 'And'.

"And is one of many words with which you should never start a sentence."

Oh, no! What have I done?

EngleBart2010-10-12 13:08

boog:

nasch:

boog:

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper?

I assumed the devs didn't have accounts with the rights to commit.

I assumed the same, but I wasn't talking about version control in the quote above; I was talking about the clipboard prerequisite for sign-on in the environment.

The developers had a user account for email and the like. But when they wanted to log onto one of the developer accounts, I bet they used a separate account name that Shiva kept locked. In VMS it would have been very simple for him to enable your account, let you logon, and then disable your account. This would stop you from logging on after an idle-timer forced you off of the system. He could ensure that you had to bring him donuts every morning if he wanted.

VMS security still kicks but compared to Windows. I am still waiting for Windows to tell me how many login failures since my last login. With VMS, if the protaganist had not guessed the password correctly the first time, then Shiva would have known on his next login. It would of course trace back to his own desk which would really piss him off! Of course Shiva may have still noticed that his last successful login was from a time when he was away from his desk if he had really been paying attention!

P.S. Purposely started a sentence with "But". Can you feel the fingernails on the chalkboard?

danixdefcon52010-10-12 13:08

@Deprecated:

Bitter Like Quinine:

Even though I'm an editor, I've learned to ignore the typos and grammatical pratfalls on this site. But this article sticks out like a sore thumb...

Even though I'm an editor, I've learned to start sentences with "But".

And?

No, never start your sentences with 'And'.

Or?

Zylon2010-10-12 13:20

In a further development, Shiva has been downsized and replaced with...

Mark2010-10-12 13:23

@Deprecated:

Bitter Like Quinine:

Even though I'm an editor, I've learned to ignore the typos and grammatical pratfalls on this site. But this article sticks out like a sore thumb...

Even though I'm an editor, I've learned to start sentences with "But".

And?

No, never start your sentences with 'And'.

And why not?

Jaime2010-10-12 13:24

EngleBart:

boog:

nasch:

boog:

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper?

I assumed the devs didn't have accounts with the rights to commit.

I assumed the same, but I wasn't talking about version control in the quote above; I was talking about the clipboard prerequisite for sign-on in the environment.

The developers had a user account for email and the like. But when they wanted to log onto one of the developer accounts, I bet they used a separate account name that Shiva kept locked. In VMS it would have been very simple for him to enable your account, let you logon, and then disable your account. This would stop you from logging on after an idle-timer forced you off of the system. He could ensure that you had to bring him donuts every morning if he wanted.

VMS security still kicks but compared to Windows. I am still waiting for Windows to tell me how many login failures since my last login. With VMS, if the protaganist had not guessed the password correctly the first time, then Shiva would have known on his next login. It would of course trace back to his own desk which would really piss him off! Of course Shiva may have still noticed that his last successful login was from a time when he was away from his desk if he had really been paying attention!

P.S. Purposely started a sentence with "But". Can you feel the fingernails on the chalkboard?

Windows authentication uses a multi-instance database with multi-master replication, your VMS example was a single system. Windows XP and later can also authenticate with cached credentials even without a network connection. A complete list of all login failures would have to be compiled from the logs of all systems that have ever been part of the Active Directory forest, even if they aren't currently on line. However, with event forwarding and a little reporting, you could get this information without too much effort. This is a typical case where an older system was easier to administer simply because it had fewer features.

Jay2010-10-12 13:29

by:

boog:

nasch:

boog:

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper?

I assumed the devs didn't have accounts with the rights to commit.

I assumed the same, but I wasn't talking about version control in the quote above; I was talking about the clipboard prerequisite for sign-on in the environment.

This is extremely simple, particularly on an embedded system with no file system. All you have to do is alter the password verification routine to return TRUE, FALSE, or SHIVA_NOT_FOUND.

+1 This should be the start of a new running joke.

Jay2010-10-12 13:32

@Deprecated:

Bitter Like Quinine:

Even though I'm an editor, I've learned to ignore the typos and grammatical pratfalls on this site. But this article sticks out like a sore thumb...

Even though I'm an editor, I've learned to start sentences with "But".

And?

No, never start your sentences with 'And'.

Oh, the irony! In response to an article about organizations demanding that people follow a rule that serves no useful purpose just because "it's the rule", a poster ridicules someone for failing to follow a rule that serves no useful purpose just because "it's the rule".

Andy2010-10-12 13:32

Because a bunch of youngsters learning English would write fragments that started with a conjunction and then left out the other clause, teachers insisted that they not start sentences that way even though it is quite grammatical to do so.

Also, if you make the sentences long enough, that backwards form can be confusing, since you don't necessarily have all of the context until you reach the end.

Silfax2010-10-12 13:32

Zylon:

See, this is why you don't hire Hindu gods as admins.

I thought it was about the Jewish practice of shiva, not the Hindu deity.

In retrospect, either one fits. Sysadmins who think they are gods, or a mourning process.

frits2010-10-12 13:32

Jay:

by:

boog:

nasch:

boog:

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper?

I assumed the devs didn't have accounts with the rights to commit.

I assumed the same, but I wasn't talking about version control in the quote above; I was talking about the clipboard prerequisite for sign-on in the environment.

This is extremely simple, particularly on an embedded system with no file system. All you have to do is alter the password verification routine to return TRUE, FALSE, or SHIVA_NOT_FOUND.

+1 This should be the start of a new running joke.

Please Shiva, no.

hatterson2010-10-12 13:33

danixdefcon5:

@Deprecated:

Bitter Like Quinine:

Even though I'm an editor, I've learned to ignore the typos and grammatical pratfalls on this site. But this article sticks out like a sore thumb...

Even though I'm an editor, I've learned to start sentences with "But".

And?

No, never start your sentences with 'And'.

Or?

Or is another word with which you should not begin sentences.

Jay2010-10-12 13:35

Grammar rules that I routinely ignore:

Never use a preposition to end a sentence with. (As Winston Churchill said, "That is a rule up with which I shall not put.")

Be sure to not split your infinitives. (I strive to boldly split infinitives that no man has split before.)

About sentence fragments.

And never begin a sentence with a conjunction.

Jay2010-10-12 13:37

Andy:

Because a bunch of youngsters learning English would write fragments that started with a conjunction and then left out the other clause, teachers insisted that they not start sentences that way even though it is quite grammatical to do so.

Also, if you make the sentences long enough, that backwards form can be confusing, since you don't necessarily have all of the context until you reach the end.

I'm not sure if you're being deliberately ironic, or if you failed to realize that both sentences of your reply begin with conjunctions, thus breaking the rule that you are defending.

KittyKat2010-10-12 13:39

Jaime:

EngleBart:

boog:

nasch:

boog:

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper?

I assumed the devs didn't have accounts with the rights to commit.

I assumed the same, but I wasn't talking about version control in the quote above; I was talking about the clipboard prerequisite for sign-on in the environment.

The developers had a user account for email and the like. But when they wanted to log onto one of the developer accounts, I bet they used a separate account name that Shiva kept locked. In VMS it would have been very simple for him to enable your account, let you logon, and then disable your account. This would stop you from logging on after an idle-timer forced you off of the system. He could ensure that you had to bring him donuts every morning if he wanted.

VMS security still kicks but compared to Windows. I am still waiting for Windows to tell me how many login failures since my last login. With VMS, if the protaganist had not guessed the password correctly the first time, then Shiva would have known on his next login. It would of course trace back to his own desk which would really piss him off! Of course Shiva may have still noticed that his last successful login was from a time when he was away from his desk if he had really been paying attention!

P.S. Purposely started a sentence with "But". Can you feel the fingernails on the chalkboard?

Windows authentication uses a multi-instance database with multi-master replication, your VMS example was a single system. Windows XP and later can also authenticate with cached credentials even without a network connection. A complete list of all login failures would have to be compiled from the logs of all systems that have ever been part of the Active Directory forest, even if they aren't currently on line. However, with event forwarding and a little reporting, you could get this information without too much effort. This is a typical case where an older system was easier to administer simply because it had fewer features.

Heh, complicated does not equal good (repost, hit reply not quote)

itzac2010-10-12 13:52

The moral of the story: never break a rule until you understand why it is there.

FTS2010-10-12 14:26

Jay:

Andy:

Because a bunch of youngsters learning English would write fragments that started with a conjunction and then left out the other clause, teachers insisted that they not start sentences that way even though it is quite grammatical to do so.

Also, if you make the sentences long enough, that backwards form can be confusing, since you don't necessarily have all of the context until you reach the end.

I'm not sure if you're being deliberately ironic, or if you failed to realize that both sentences of your reply begin with conjunctions, thus breaking the rule that you are defending.

He's not defending the rule. The so-called rule is nothing of the sort. (I.e., it's perfectly okay to begin a sentence with and, or, or but.)

Buffled2010-10-12 14:29

boog:

@Deprecated:

Bitter Like Quinine:

And?

No, never start your sentences with 'And'.

"And is one of many words with which you should never start a sentence."

Oh, no! What have I done?

Some people might call it funny. I just call it "rape of the English language". (Note that there's some question over whether the period goes inside or outside of the quote: My Rule states that if the content inside the quotes is a complete sentence, then the period goes inside. Otherwise, it goes outside. Everyone should follow My Rule.)

Mark2010-10-12 14:35

My problem here is that the story conflates two situations:

The bulk of the story describes a procedure whose costs clearly outweigh any benefits it could ever have. That's a problem.

But the into to the story reads as a typical developer rant against ANY procedure one might be required to follow, suggesting that a developer should never be told to follow a procedure the reasons for which he or she doesn't personally understand.

So what are you to do as an organization with legitimate problems that require a process? For example, perhaps you have a promotion policy that requries the use of a source control system and certain documentation. Undocumented exceptions would quickly erode the value of this system, and it may well be that your long term costs would be much higher without it. It may even be that you couldn't meet your legal obligations without it.

Yet short-term costs will always be lower without it, and we all know that when a project is behind the principals will argue that there's not time to do things right. There will always be a demand for these exceptions regardless of the long-term costs. So what are you to do?

Do you spend the time to draw out example scenarios that are long-term enough the developer is going to dismiss them anyway, regardless of their validity? Do you waste time explaining the purpose and connecting the dots over and over again? Do you fire perfectly good development talent because they can't or won't grasp the underlying reasons for the process? Do you just let them ignore the policies and hope for the best (all too common, actually)?

Or maybe, if you want your organization to function over any length of time, you tell them "it's not in your project's scope to change the process or tell me how much you like it; it is the process."

David2010-10-12 15:12

TRWTF is that this story must be 25 years old; VAXen were still the new thing in the mid 1980's but not much beyond. Still, if you want old stories...

Jaime:

Windows authentication uses a multi-instance database with multi-master replication, your VMS example was a single system. Windows XP and later can also authenticate with cached credentials even without a network connection.

So could VMS over DECnet.

As EngleBart said, VMS records login times, and can show who is online. I once noticed an account logged on when its owner was away, and from a VT100 in a different office to his.
When I called our Sandwich Student into my office and told him where and when he had logged in as Roger, he was shocked that I knew, and confessed immediately. Had I told his college, he'd probably have been kicked out and failed his degree. However those were more innocent times, and his actual punishment was to become a System Administrator - he'd proved at least some ability, and with full access to SYSTEM he'd have no more incentive to break in. He did a good job of it too. (And yes, we blocked Roger's account and made him change his weak password when he came back.)

TRRWTF is that nowadays the student would probably have got a police record, and his future career would have been ruined. Still, can't be too careful with all those terrorists about can we?

ÃƒÆ’Ã†â€™Ãƒâ€ Ã¢â‚¬â„¢ÃƒÆ’Ã¢â‚¬Â ÃƒÂ¢Ã¢â€šÂ¬Ã¢â€ž2010-10-12 15:33

Jay:

Grammar rules that I routinely ignore:

Never use a preposition to end a sentence with. (As Winston Churchill said, "That is a rule up with which I shall not put.")

Be sure to not split your infinitives. (I strive to boldly split infinitives that no man has split before.)

About sentence fragments.

And never begin a sentence with a conjunction.

Aha! You're the one who has been writing all these TDWTF articles! I found you sir.

Con Junction2010-10-12 15:35

Nor any other conjunction, neither.

boog2010-10-12 15:59

EngleBart:

...I bet they used a separate account name that Shiva kept locked. In VMS it would have been very simple for him to enable your account, let you logon, and then disable your account. This would stop you from logging on after an idle-timer forced you off of the system.

Okay, so you're sticking with the Shiva-is-a-sociopath theory?

Interesting...

EngleBart:

P.S. Purposely started a sentence with "But". Can you feel the fingernails on the chalkboard?

P.S. I can't feel them, but I can hear them. And it's music to my ears!

Andy2010-10-12 16:07

Jay:

Andy:

Because a bunch of youngsters learning English would write fragments that started with a conjunction and then left out the other clause, teachers insisted that they not start sentences that way even though it is quite grammatical to do so.

Also, if you make the sentences long enough, that backwards form can be confusing, since you don't necessarily have all of the context until you reach the end.

I'm not sure if you're being deliberately ironic, or if you failed to realize that both sentences of your reply begin with conjunctions, thus breaking the rule that you are defending.

It is perfectly grammatical to start sentences with a conjunction. What is not grammatical is writing a sentence fragment as if it were a sentence, regardless of the part of speech of the first word in the sentence. Since so many young students write sentence fragments, thinking that they are writing sentences, by beginning with these connecting words, teachers often tell students not to do so. This eventually was interpreted as a prohibition on the sentence form rather than a simple rule to help prevent the accidental use of fragments.

"Because it's a complete sentence." is not a sentence, but "Because it's a complete sentence, it doesn't matter that it starts with a conjunction." is.

Bitter Like Quinine2010-10-12 16:19

@Deprecated:

Bitter Like Quinine:

Even though I'm an editor, I've learned to ignore the typos and grammatical pratfalls on this site. But this article sticks out like a sore thumb...

Even though I'm an editor, I've learned to start sentences with "But".

And?

No, never start your sentences with 'And'.

No, that's bollocks. English writers have been starting sentences with coordinating conjunctions since Chaucer's day and never stopped. Nor does either my Fowler's English Usage or Oxford Companion to the English Language say a damn thing about not doing so.

This is one of those mythical rules, like not ending sentences with a preposition, that exist nowhere but in the minds of fourth grade English teachers (in both senses).

http://grammar.ccc.commnet.edu/grammar/conjunctions.htm

boog2010-10-12 16:28

Buffled:

Some people might call it funny. I just call it "rape of the English language".

That's a pretty extreme way of putting it. How about calling it "drawing-a-goatee-and-giant-eyebrows on the English language"?

ÃƒÆ’Ã†â€™Ãƒâ€ Ã¢â‚¬â„¢ÃƒÆ’Ã¢â‚¬Â ÃƒÂ¢Ã¢â€šÂ¬Ã¢â€ž2010-10-12 16:36

boog:

EngleBart:

...I bet they used a separate account name that Shiva kept locked. In VMS it would have been very simple for him to enable your account, let you logon, and then disable your account. This would stop you from logging on after an idle-timer forced you off of the system.

Okay, so you're sticking with the Shiva-is-a-sociopath theory?

Interesting...

EngleBart:

P.S. Purposely started a sentence with "But". Can you feel the fingernails on the chalkboard?

P.S. I can't feel them, but I can hear them. And it's music to my ears!

But the sound is supposed to make you cringe.

Bitter Like Quinine2010-10-12 16:42

Jay:

Grammar rules that I routinely ignore:

Never use a preposition to end a sentence with. (As Winston Churchill said, "That is a rule up with which I shall not put.")

Except Churchill probably never said it. It appeared as a humour piece in Strand Magazine at least four years before Churchill's supposed marginal reply, and most likely dates from earlier still.

http://itre.cis.upenn.edu/~myl/languagelog/archives/001715.html

smxlong2010-10-12 16:52

boog:

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper? Maybe it's lonely in Shiva-land and he just wants people to visit him?

I don't think that was the point of that protocol. More likely, the idea is that if there is a log entry showing that somebody was logged in at a certain time, but no corresponding entry on the clipboard, then clearly that person was not who he said he was and wasn't authorized. It's for detecting fishiness after the fact, not preventing it.

MarkJ2010-10-12 17:22

My Name Is Missing:

I worked at a Healthcare company where everyone knew the username and password for all the production servers and databases, and there was no audit system either. Insecurity by stupidity.

FTFY

Timmy2010-10-12 18:21

EngleBart:

VMS security still kicks but compared to Windows. I am still waiting for Windows to tell me how many login failures since my last login.

And then you'll be pleased to know this functionality can be enabled in a Windows 2008 domain with Win7 and 2008 clients.

Because a bunch of youngsters learning English would write fragments that started with a conjunction and then left out the other clause, teachers insisted that they not start sentences that way even though it is quite grammatical to do so.

Also, if you make the sentences long enough, that backwards form can be confusing, since you don't necessarily have all of the context until you reach the end.

I'm not sure if you're being deliberately ironic, or if you failed to realize that both sentences of your reply begin with conjunctions, thus breaking the rule that you are defending.

1. Refusing to answer "why?" with a sentence that begins with "because" seems unnatural. It's the way people talk. (This raises another point: conversation needn't obey the rules of formal writing, and discussion in a forum such as this tends toward the conversational side.)

2. There never was a rule against beginning a sentence with a conjunction. The rule applies specifically to "and", "or", and "but", not ALL conjunctions. (I'm in the camp that believes the rule is stupid and arbitrary, BTW, but that's neither here nor there.)

So I wonder how Shiva prevents people from signing-on in the environment prior to signing-in on the clipboard. Do you think he really locks user accounts until they write their names on a piece of paper? Maybe it's lonely in Shiva-land and he just wants people to visit him?

I don't think that was the point of that protocol.

Obviously.
</duh>

smxlong:

More likely, the idea is that if there is a log entry showing that somebody was logged in at a certain time, but no corresponding entry on the clipboard, then clearly that person was not who he said he was and wasn't authorized. It's for detecting fishiness after the fact, not preventing it.

Please explain to me how this protocol, in an environment with proper authentication, is not absurd. Or do you think that Shiva assumed everyone else was just as dumb as he was and used their names as their passwords as well?

little Johnny2010-10-12 20:32

"I is..."

"No, no, always use 'I am'."

"Alright then. I am the ninth letter of the alphabet!"

Captcha: acsi - character set used for bad spelling :)

Grumpy2010-10-13 04:01

itzac:

The moral of the story: never break a rule until you understand why it is there.

Funny, I do it the other way around: never adhere to a rule unless you understand why it is there. Make the rulemaker explain why a rule is necessary or ignore it. "Because I say so" does not make a rule necessary. Also, this makes driving a car so much more interesting.

Dave2010-10-13 04:57

d.k. Allen:

frits:

Shiva:

Ha! You've been caught and heads will roll!

I have changed my *BUTT**** to something you will never guess!

FTFY

FTFTFY

That's what you get for making silly buttumptions.

Ryan2010-10-13 05:02

The Enterpriser:

4. TRRRWTF is that no-one has mentioned hunter2 yet.

huh, it just appears as *******'s for me, but if i copy and paste those stars instead of writing them, it appears as hunter2 for you.

Even though I'm an editor, I've learned to ignore the typos and grammatical pratfalls on this site. But this article sticks out like a sore thumb...

Even though I'm an editor, I've learned to start sentences with "But".

And?

No, never start your sentences with 'And'.

Or?

But I like starting sentences with a conjunction. And it's never been a problem before. Or has it only recently become a problem?

TheRider2010-10-13 09:01

David:

TRWTF is that this story must be 25 years old; VAXen were still the new thing in the mid 1980's but not much beyond. Still, if you want old stories...

...old story...

TRRWTF is that nowadays the student would probably have got a police record, and his future career would have been ruined. Still, can't be too careful with all those terrorists about can we?

Well, during my studies I wrote a program that presented a screen and acted the same as the original login screen of the mainframe computer my university had at the time (this was in 1984). My program waited until someone approached the terminal and tried to login, logged the username and password to a file in my user account, and then told the user that his password was wrong. The problem was, that any unattended session was forcibly ended after at most 30 minutes, so I wasn't able to collect very many passwords.

Still, after a while, the sysadmin realized what was going on and forced me to delete the program and the source code from the system. And that was also the end of the story. It remained between the two of us. Good times. I am also quite sure that nowadays, they would tell the police and throw me out of uni.

Matt Westwood2010-10-13 09:01

Andy:

Jay:

Andy:

Because a bunch of youngsters learning English would write fragments that started with a conjunction and then left out the other clause, teachers insisted that they not start sentences that way even though it is quite grammatical to do so.

Also, if you make the sentences long enough, that backwards form can be confusing, since you don't necessarily have all of the context until you reach the end.

I'm not sure if you're being deliberately ironic, or if you failed to realize that both sentences of your reply begin with conjunctions, thus breaking the rule that you are defending.

It is perfectly grammatical to start sentences with a conjunction. What is not grammatical is writing a sentence fragment as if it were a sentence, regardless of the part of speech of the first word in the sentence. Since so many young students write sentence fragments, thinking that they are writing sentences, by beginning with these connecting words, teachers often tell students not to do so. This eventually was interpreted as a prohibition on the sentence form rather than a simple rule to help prevent the accidental use of fragments.

"Because it's a complete sentence." is not a sentence, but "Because it's a complete sentence, it doesn't matter that it starts with a conjunction." is.

"Why did you write 'the cat sat on the mat'?"

"Because it's a complete sentence."

Sentence fragments are sometimes perfectly appropriate. Death to grammar fascists.

Matt Westwood2010-10-13 09:08

TheRider:

David:

TRWTF is that this story must be 25 years old; VAXen were still the new thing in the mid 1980's but not much beyond. Still, if you want old stories...

...old story...

TRRWTF is that nowadays the student would probably have got a police record, and his future career would have been ruined. Still, can't be too careful with all those terrorists about can we?

Well, during my studies I wrote a program that presented a screen and acted the same as the original login screen of the mainframe computer my university had at the time (this was in 1984). My program waited until someone approached the terminal and tried to login, logged the username and password to a file in my user account, and then told the user that his password was wrong. The problem was, that any unattended session was forcibly ended after at most 30 minutes, so I wasn't able to collect very many passwords.

Still, after a while, the sysadmin realized what was going on and forced me to delete the program and the source code from the system. And that was also the end of the story. It remained between the two of us. Good times. I am also quite sure that nowadays, they would tell the police and throw me out of uni.

We a detached process once that listed all the files in a user's directory structure in such a way as to make it look as though it were deleting them all. They pressed ctrl-y in panic, of course, and it said, "Sorry, can't stop" and carried on going. It made one of the programmers in the team burst into tears. Ah, happy days. I still get occasional VAX work even now.

Matt Westwood2010-10-13 09:09

Matt Westwood:

We a detached process once that listed all the files in a user's directory structure in such a way as to make it look as though it were deleting them all. They pressed ctrl-y in panic, of course, and it said, "Sorry, can't stop" and carried on going. It made one of the programmers in the team burst into tears. Ah, happy days. I still get occasional VAX work even now.

... sorry, that's "We wrote a detached process ..."

SR2010-10-13 09:23

boog:

That's a pretty extreme way of putting it. How about calling it "drawing-a-goatee-and-giant-eyebrows on the English language"?

+1 (Funny)

JB2010-10-13 09:42

Mike:

“To keep Shiva from catching on,” the more senior developer explained, “we would play Shiva’s game once every other promotion.”

What did this mean? I can't understand it.

If they need to get something done, they use Shiva's login & password. If they have something that isn't so important, they jump through the hoops of the official process, to keep Shiva noticing that things are getting done yet nobody's talking to him.

anon2010-10-13 10:20

A well known investment bank that has since become a victim of the Banking Crisis, had "security" and "security" as the user name and password of the system in their security office that allowed access control and employee payment cards to be configured. Access all areas and a licence to print money - who needs security when "security/security" will do!

wtf2010-10-13 10:49

Bitter Like Quinine:

Except Churchill probably never said it. It appeared as a humour piece in Strand Magazine at least four years before Churchill's supposed marginal reply, and most likely dates from earlier still.

If you don't have an actual source, it's always safe to attribute a quote to Churchill or Wilde if it's even marginally clever. It's sort of the like the "Discovery Channel" rule - if you don't have a real source for a fact you've made up, you can always say "no, it's true, I saw it on the Discovery Channel!"

PG42010-10-13 11:09

The real fun with VMS is to write a program that allocates a bit of non paged pool and copies a routines to it that gets fired by a system timer to change the prompt of one of your friends every 30 seconds.

The nice part is, you can log out and it will continue to run until the system is rebooted, or you track down and cancel the timer. And it is very very hard for someone even your victim to find.

anon2010-10-13 11:11

Shiva:

I am become Shiva, destroyer of productivity!

Look on my security protocols, ye mighty, and despair!

itzac2010-10-13 12:38

Grumpy:

itzac:

The moral of the story: never break a rule until you understand why it is there.

Funny, I do it the other way around: never adhere to a rule unless you understand why it is there. Make the rulemaker explain why a rule is necessary or ignore it. "Because I say so" does not make a rule necessary. Also, this makes driving a car so much more interesting.

I suppose the unstated corollary is better illustrated by the story: don't worry about rules that fail to achieve their intended purpose.

Jay2010-10-13 12:46

Mark:

My problem here is that the story conflates two situations:

The bulk of the story describes a procedure whose costs clearly outweigh any benefits it could ever have. That's a problem.

But the into to the story reads as a typical developer rant against ANY procedure one might be required to follow, suggesting that a developer should never be told to follow a procedure the reasons for which he or she doesn't personally understand.

So what are you to do as an organization with legitimate problems that require a process? For example, perhaps you have a promotion policy that requries the use of a source control system and certain documentation. Undocumented exceptions would quickly erode the value of this system, and it may well be that your long term costs would be much higher without it. It may even be that you couldn't meet your legal obligations without it.

Yet short-term costs will always be lower without it, and we all know that when a project is behind the principals will argue that there's not time to do things right. There will always be a demand for these exceptions regardless of the long-term costs. So what are you to do?

Do you spend the time to draw out example scenarios that are long-term enough the developer is going to dismiss them anyway, regardless of their validity? Do you waste time explaining the purpose and connecting the dots over and over again? Do you fire perfectly good development talent because they can't or won't grasp the underlying reasons for the process? Do you just let them ignore the policies and hope for the best (all too common, actually)?

Or maybe, if you want your organization to function over any length of time, you tell them "it's not in your project's scope to change the process or tell me how much you like it; it is the process."

Sure, the fact that someone doesn't "personally understand" a rule is not a valid reason to ignore it. G. K. Chesterton once wrote that if someone tells you that a rule or custom or tradition should be abolished, ask him why it was instituted in the first place. If he can give you a clear answer, and then explain why that reason is no longer applicable or why it was a bad idea to begin with, then maybe he should be allowed to abolish the rule. But if he can't tell you why it was originally invented, he is clearly not qualified to say whether those reasons are good or not.

But on the flip side, to say "it's not in your project's scope to change the process or tell me how much you like it; it is the process" is not valid either. If the only defense anyone can offer for a policy is that it's the policy or that it's in the rule book, it is probably not a good policy.

I've had plenty of conversations that went something like:

Me: "Why are we required to do X. It seems to take a lot of time for no clear benefit."
Other person: "Because that's company policy."
Me: "But why is that company policy?"
Other person: "Because the ZZZ Department put it in the policy book."
Me: "Yes, I understand that, but WHY did they create this policy? What purpose does it serve?"
Other person: "But I just explained to you! Because the ZZZ Department decided that this should be the rule?"
Etc.

Jay2010-10-13 12:51

Mark:

My problem here is that the story conflates two situations:

The bulk of the story describes a procedure whose costs clearly outweigh any benefits it could ever have. That's a problem.

But the into to the story reads as a typical developer rant against ANY procedure one might be required to follow, suggesting that a developer should never be told to follow a procedure the reasons for which he or she doesn't personally understand.

So what are you to do as an organization with legitimate problems that require a process? For example, perhaps you have a promotion policy that requries the use of a source control system and certain documentation. Undocumented exceptions would quickly erode the value of this system, and it may well be that your long term costs would be much higher without it. It may even be that you couldn't meet your legal obligations without it.

Yet short-term costs will always be lower without it, and we all know that when a project is behind the principals will argue that there's not time to do things right. There will always be a demand for these exceptions regardless of the long-term costs. So what are you to do?

Do you spend the time to draw out example scenarios that are long-term enough the developer is going to dismiss them anyway, regardless of their validity? Do you waste time explaining the purpose and connecting the dots over and over again? Do you fire perfectly good development talent because they can't or won't grasp the underlying reasons for the process? Do you just let them ignore the policies and hope for the best (all too common, actually)?

Or maybe, if you want your organization to function over any length of time, you tell them "it's not in your project's scope to change the process or tell me how much you like it; it is the process."

Sure, the fact that someone doesn't "personally understand" a rule is not a valid reason to ignore it. G. K. Chesterton once wrote that if someone tells you that a rule or custom or tradition should be abolished, ask him why it was instituted in the first place. If he can give you a clear answer, and then explain why that reason is no longer applicable or why it was a bad idea to begin with, then maybe he should be allowed to abolish the rule. But if he can't tell you why it was originally invented, he is clearly not qualified to say whether those reasons are good or not.

But on the flip side, to say "it's not in your project's scope to change the process or tell me how much you like it; it is the process" is not valid either. If the only defense anyone can offer for a policy is that it's the policy or that it's in the rule book, it is probably not a good policy.

I've had plenty of conversations that went something like:

Me: "Why are we required to do X. It seems to take a lot of time for no clear benefit."
Other person: "Because that's company policy."
Me: "But why is that company policy?"
Other person: "Because the ZZZ Department put it in the policy book."
Me: "Yes, I understand that, but WHY did they create this policy? What purpose does it serve?"
Other person: "But I just explained to you! Because the ZZZ Department decided that this should be the rule?"
Etc.

Spoe2010-10-13 13:51

ih8u:

Even though I'm an editor, I've learned to start sentences with "But". *sigh*

I too have an eye for the grammatical. It was the only part of English class I could stand. I can, however, just RTFAs without screaming out in pain for a duplicated word or botched punctuation.

The writing could be better for sure, but I think complaining should be left for lines that literally make no sense.

Starting a sentence with a conjunction is perfectly acceptable. See The Chicago Manual of Style, 16th Edition, section 5.206.
Similarly, it's also acceptable to end a sentence with a preposition. See section 5.176 of the same.

Tanuki2010-10-13 16:14

This reminds me of an old joke about a village that hired a known pyromaniac as the fire marshal. "So when a fire is started, the fire marshal is instantly present."

Sir Winston Churchill2010-10-13 17:09

If you don't have an actual source, it's always safe to attribute a quote to Churchill or Wilde if it's even marginally clever.

anonymous2010-10-14 07:31

I don't understand why so many people are afraid of using 'and' at the beginning of a sentence. It could be worse, imagine people using it at the end of a sentence and.

Stew2010-10-14 22:39

Zylon:

See, this is why you don't hire Hindu gods as admins.

I dunno. I hear Vishnu is pretty good with Exchange.

Kevin White2010-10-15 08:09

This was my story and unfortunately the "author" decided to make it 3 to 4 times longer than what I wrote.

It wasn't a hysterically funny story to begin with but the too-clever by half additions made it less funny. Ponderous even.

As far as people's comments as to getting in trouble using someone else's terminal or logging in as someone else. This was a system that was not in full production yet and it was 1987-1988. There wasn't so much emphasis on security back then.

Except as far as Shiva was concerned.

KW

Shiva Supporter2010-10-17 22:56

You have to spoil the fun, don't you?!

cappeca2010-10-18 09:18

@Deprecated:

Bitter Like Quinine:

Even though I'm an editor, I've learned to ignore the typos and grammatical pratfalls on this site. But this article sticks out like a sore thumb...

Even though I'm an editor, I've learned to start sentences with "But".

And?

No, never start your sentences with 'And'.

And remember, prepositions are something you never end a sentence with.

tgape2010-12-17 11:22

Buffled:

(Note that there's some question over whether the period goes inside or outside of the quote: My Rule states that if the content inside the quotes is a complete sentence, then the period goes inside. Otherwise, it goes outside. Everyone should follow My Rule.)

Otherwise known as the English rule for periods around end quotes.

The American rule is simpler: period always inside the quotes.

I have seen some people following the rule: period always outside the quotes. I've no idea where this idea came from.

Even though I am an American, I feel the American rule is, IMHO, stupid - but not as bad as period always outside the quotes.

(Btw, I believe the same holds true for periods around end parentheses (such as these).)